ThreatModCon 2024 San Francisco: Highlights, Slides, and What's Next
We’re excited to have wrapped up the third ThreatModCon this past weekend in the global hub of innovation – the SF Bay Area! San Francisco holds a special place in our community as it’s where it all started. Our very first meetup happened here two years ago during OWASP’s Global AppSec conference. Back then, it was just 30 of us in a small room at a Spanish-Cali restaurant, enjoying tapas, drinks, and, of course, threat modeling.
At the time, we didn’t know where this journey would take us. All we knew was our love for threat modeling and our belief that involving more people in it could make the world a better place.
Fast forward two years, we returned to San Francisco, took over that same restaurant (this time the whole space!), and kicked off our third global conference – beyond anything we could have dreamed.
The Unkeynote: A Discussion Among Friends on Advancing Threat Modeling
It’s a tradition now – ThreatModCon doesn’t kick off with a typical keynote. This time, Matt Cole brought a bowl on stage filled with thought-provoking questions. Each speaker drew from the bowl, shared their thoughts, and invited others to contribute. Some of the questions included:
- What message do leaders need to hear to support threat modeling as a vital part of SDLC?
- Does this message differ between engineering and business leaders?
- How do we make data privacy not boring?
- How does threat modeling fit into BSIMM?
This unique panel featured some of the brightest minds in threat modeling: Adam Shostack, Jonathan Marcil, Caroline Wong, Izar Tarandach, Matt Coles, plus an AI participant voiced by Brook Shoenfield. Curious if the human experts and AI agreed or disagreed? Watch the recording when it becomes available later this month!
Deep Dives: Technical Track Highlights
This year’s content was split into two tracks. The technical track focused on:
- Modeling Dynamic External Systems. “Threat Modeling Volcanoes: Patterns of Expandable Systems” by Joern Freydank
- Using Threat Modeling to Boost Product Delivery Speed. “Use Threat Modeling to Increase Delivery Velocity Using Patterns” by Jason Nelson
- Leveraging AI for Automated Threat Modeling. “Automating Threat Modeling: Challenges and AI Solutions” by Audrey Long
These sessions were packed with valuable insights on how technical practices are evolving in the field of threat modeling.
Business and Program Insights: Driving Impact Across Organizations
The program and business track addressed common challenges like threat modeling often being isolated and overlooked within organizations and shared some inspiring success stories, including:
- Extending the functionality and value of threat models beyond design time. “Amplify Downstream Value with Technology Captures and Layers” by Brenna Leath
- Strategies for embedding threat modeling into existing processes, helping their security team gain more visibility and impact. “The Path to Influence: How Three Threat Modelers Can Influence an Entire Organization by Laurent Bouchard and Léandre Forget-Besnard,
- Adapting threat modeling tools to better fit users’ workflows, driving faster and wider adoption. “Making Threat Modeling More Natural: Recommendations for Practitioners and Tool Developers” by Ron E. Thompson.
- Using threat modeling to foster collaboration between knowledge holders and recipients. "Taking Threat Modeling to the Next Level with Knowledge Transfer” by John Krautheim and Larry England.
Hands-On Learning: Engaging Workshops
In addition to the talks, we hosted two hands-on workshops:
- “Developing the Threat Modeling Mindset” by Robert Hurlbut, which gave both beginners and veterans a solid foundation or a refreshing perspective on threat modeling.
- “Pragmatics of Threat Modeling AWS Architecture Using STRIDE” by Jamil Ahmed, Ph.D., which provided practical tools for analyzing threats in AWS environments.
Meaningful Connections: “Find My Tribe” and “Birds of a Feather”
Networking can be tough, and meaningful connections can be even harder to form in a conference. That’s why we intentionally keep ThreatModCon intimate, fostering a space where attendees can truly connect and make new friends.
This year, we introduced “Find My Tribe”, a peer group activity that connected attendees with shared interests or challenges in threat modeling. Tribes met during the conference, led by facilitators like John Taylor, Sean Glencross, and Izar Tarandach, and had fantastic discussions on topics ranging from automation to asset management.
Another networking highlight was our “Birds of a Feather” roundtable discussions during lunch. Thirteen tables covering six core threat modeling topics turned the lunch hour into a lively exchange of ideas. Special thanks to all the facilitators, including Ron Thompson, Larry England, Stephen de Vries, Caroline Wong, Jonathan Marcil, and many more!
Birds-of-a-feather roundtable discussion1920×1280 199 KB
A Big Thank You to Our Conference Committee and Volunteers
We couldn’t have pulled off this amazing event without the dedication and hard work of both our conference committee and volunteers. From crafting the programs and helping with event setup to assisting during sessions and workshops, they ensured everything ran smoothly and created a welcoming atmosphere for all attendees.
Special thanks to our conference committee:
Sandy Blackwell, Zoe Braiterman, Matt Coles, Sebastien Deleersnyder, Sean Glencross, Irene Michlin, Chris Ramirez, Brook Shoenfield
Huge kudos to our amazing volunteers:
Nick Lescanic, Kimia Pourali, Wendy Segura, John Taylor, Yashashvi Thakur
Room moderator, Kimia Pourali1920×1280 136 KB
What’s Next?
ThreatModCon started just a year ago in Washington, D.C. Since then, we’ve expanded to Europe with ThreatModCon Lisbon and just wrapped up in San Francisco. So, what’s next?
We’re bringing Threat Modeling Connect to more cities! In addition to our annual conferences like ThreatModCon, we’re launching local chapters in Barcelona, London, and Tokyo by the end of this year. More info to come later this month.
If you’re interested in bringing Threat Modeling Connect to your city next year, drop me a PM or email my team at hello@threatmodelingconnect.com. Let’s make it happen!